Mashup security

A new trend in Web design is to add many mashup gadget on Web2.0 sites. Many sites offer huge libraries of such mashups. Adding mashups to sites is extremely simple. Mashups add easily more features, a more professional look, … Unfortunately, they add also potential vulnerabilities.

A mashup is a piece of source code (often java) with Ajax framework . It has a known “documented” set of features. But, are there no hidden features? Potentially, some code could create leakage of data. It is interesting to see that people may be very careful with incoming mails, but totally unaware of mashups and accept anyone as soon as it is good looking. Once more it is a question of trust. Do you trust the developer of the mashup?

IBM has proposed an authentication framework for mashups: SMash. It is an open source project. This is a first step. But that the source is authenticated does not mean that the mashup does not carry a bad payload. The question should be do you know the authenticated entity? do you trust it? Can you examine the code?

Other companies such as MICROSOFT are also working on the topics. No doubt mashup security may become soon a hot topics once the first malware mashups will become mainstream.

Leave a Reply

Your email address will not be published. Required fields are marked *